Opened 4 years ago

Closed 4 years ago

#3661 closed enhancement (wontfix)

lock upstream dependencies and use service like pyup.io to update them

Reported by: rutsky Owned by:
Priority: major Milestone: undecided
Version: Keywords:
Cc:

Description

Buildbot dependencies relatively often release new versions: new versions of Twisted, Sphinx, pyflakes, etc.

Buildbot doesn't set upper bound most of dependencies versions, so when new version of dependency arrives, it's immediately being used by Buildbot CI.

The problem is that "immediately" means "with the next PR" and sometimes perfectly correct PR fails with some strange (and unexpected to PR author errors) due to some issue with new dependency version.

This problem is being solved in some other projects by:

  1. Locking dependencies version in requiremets.txt (or requiremets-test.txt, requiremets-dev.txt) and using them in CI.
  1. Enabling and configuring https://pyup.io/ for GitHub repository.

pyup.io tracks new releases on PyPI and submits pull request with updates of dependencies to their current latest version. In the PR it also prints nice changelog for updated dependency (example).

With such pipeline latest dependencies for CI are being updated only in PRs from pyup.io and only them should fail due to new version incompabilities.

Change History (4)

comment:1 Changed 4 years ago by tardyp

last time we looked, the dependency managment service was not supporting several package per git tree.

We need that, and also we need to have the optional requirement supported

comment:2 Changed 4 years ago by rutsky

last time we looked, the dependency managment service was not supporting several package per git tree.

From pyup docs it looks like they should support multiple specification of multiple requirements.txt from arbitrary path in git tree.

Using separate requirements.txt file will also duplicate dependencies listing (one in setup.py, one in requirements.txt)

Also I don't see easy way of adopting use of requirements.txt with current Travis/BuildbotTravis? pipeline without significant refactoring.

comment:3 Changed 4 years ago by rutsky

@tomprince mentioned service for tracking dependencies: https://requires.io/

comment:4 Changed 4 years ago by rutsky

  • Resolution set to wontfix
  • Status changed from new to closed

Closing for now. Feel free to reopen.

Note: See TracTickets for help on using tickets.